Note: XWindows has just been changed to use a virtual file system. So now we can even use pam_namespace to mount over the /tmp directory. Hoorah for Adam Jackson. Awesome work.

If you have any world writable directories (What are you thinking?) Then you should add those to this list also.

Now we need to tell SELinux that we are going to support polyinstatiation.Polyinstantiation means that two different users looking at the same file path, would see different files. So we set the allow_polyinstatiation boolean

setsebool -P allow_polyinstantiation on

pam_namespace will automatically create an populate the home directory from /etc/skel But in order to make SELinux labeling correct, we want to create two directories in /etc/skel

mkdir /etc/skel/.mozilla /etc/skel/.gnome2

Note: Hopefully future versions of firefox and libgnome will do this by default.

Finally we need to tell /etc/pamd.d/gdm to use pam_namespace.

So add session required pam_namespace.soTo /etc/pam.d/gdm

You should be able to login as the xguest user now.

So now when the Pain in the butt, asks you to use your machine, you go up to you switch user pannel applet, select xguest, and log in the account. When they are done, you simply kill the xsession/log them out. Any files they left in /var/tmp, /tmp or ~xguest will be destroyed. So hopefully they can't leave any evilness around.